APPENDIX B. State of Montana Security Roles and Responsibilities
|
|
- Adelia Richardson
- 8 years ago
- Views:
Transcription
1 APPENDIX B State of Montana Security Roles and Responsibilities Pursuant to , MCA, Security Responsibilities of Departments for Data, each department head is required to designate an information security manager to administer the department s security program. This position, along with others within the organization, performs duties associated with a strong security program. This document contains these roles and identifies responsibilities associated with them in regards to information security as well as provides a recommended reporting structure. ROLES AND RESPONSIBILITIES The following roles and responsibilities are recommended as key positions to an adequate information security program according to NIST guidance. Not all of these positions may be applicable depending on the size and scope of the organization. A primary consideration should be how to combine responsibilities in smaller organizations or when manpower is limited where separation of duties and conflicts of interest can still be maintained for the intent and needs of security. Some of the roles explained below are grouped and in some larger organizations these may have two or more individuals or levels of management assigned to these roles with more specific responsibilities. This list is a good representation of the main groupings of functional security roles to provide a well-rounded information security program and should apply to most state agencies. A. Senior Management. The department head will ensure that an information security program is implemented and sustained sufficient to support the mission of this organization. Recommended responsibilities: Approves system security plans, Approves security assessment plans/reports, Approves memorandums of agreement or understanding, Approves plans of action and milestones, Authorizes operation of an information system, Issues an interim authorization to operate the information system under specific terms and conditions, Denies authorization to operate the information system (or if the system is already operational, halts operations) if unacceptable security risks exist, and Oversees the budget. B. Security Management. The Department Head will appoint an Information Security Manager (ISM) who directs the organization s day-to-day management of the organizations information security management program to include coordination of all security-related interactions both internal and external while maintaining a documented program (integration with continuity and records management). This position fulfills the requirements of , MCA. Recommended responsibilities:
2 Designates an Information Security Officer (ISO) who shall carry out the ISM's responsibilities for system security, Ensures information security policies and procedures are developed and maintained, Ensures the identification, implementation, and assessment of common security controls, Ensures that personnel with significant responsibilities for system security plans are trained, Ensures adequate system security planning for department, Ensures that an organization-wide information security program is effectively implemented, Ensures information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles, Ensures information systems are covered by an approved security plan and are authorized to operate by the Agency Authorizing Official, and Ensures there is centralized reporting of all security-related activities. C. Information Security Officer. Responsible for helping to ensure that the appropriate operational security posture is maintained for each information system as well as the overall operational requirements of the technology platform. Recommended responsibilities: Carries out the IIM's responsibilities for system security planning, Coordinates the development, review and acceptance of system security plans with Information System Owners, Operational Information System Security Officer(s), Information System Security Developers, and the CIO, Coordinates the identification, implementation, and assessment of the common security controls, Serves with the Applications Manager as the ISM s primary liaison to the Information System Owners, maintains information security duties as a primary responsibility, Identifies, implements, and assesses the common security controls, and In partnership with the Applications Manager, coordinates with the Information System Owner any changes to the system and assesses the security impact of those changes. D. Program and Functional Managers/Application Owners. Responsible for a program or business function (e.g., procurement or payroll) including the supporting computer system(s). Their responsibilities include providing for appropriate security, including management, operational, and technical controls. These officials are (usually assisted) supported by a technical staff that oversees the actual workings of the system with midlevel management helping develop and implement security requirements. Recommended responsibilities: Develops the system security plan in coordination with assigned Information System Security Developers, Operational Information System Security Officer(s), and functional "end users," Maintains the system security plan,
3 Ensures that the system is deployed and operated according to the agreed-upon security requirements, Ensures that system users and support personnel receive the requisite security training, Updates the system security plan whenever a significant change occurs, Assists in the identification, implementation, and assessment of the common security controls of both the application and the information, Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior), Shares information regarding the security requirements and security controls for the information where the information resides, and Decides who has access to the information system and with what types of privileges or access rights, and E. Technology Providers/System Management/System Administrators. These personnel are the managers and technicians who design and operate computer systems. They are responsible for implementing technical security on computer systems and for being familiar with security technology that relates to their system(s); ensuring consistent confidentiality, integrity, and availability. Recommended responsibilities: Plays an active role in the continuous monitoring of critical systems and the overall environment, Act as a consultant to the Information System Owner to ensure thorough security plans exist, Manages and controls changes to the system and assess the security impact of those changes Develops secure back-up and restore functions, and Executes the commands necessary to provide the access to the information systems as defined by the Information System Owner. F. Supporting Functions. The security responsibilities of managers, technology providers and security officers are supported by functions normally assigned to others. Some of the more important of these may be Auditors, Physical Security, Disaster Recovery/Contingency Planning, Quality Assurance, Procurement, Training, Personnel (HR), Risk Management/Planning Staff, and the Physical plant or office (General Services Division). G. Department Users. Regardless of the direct or indirect interaction with computers or other information systems and processes the users and the functional managers/application owners (or their representatives) are responsible for identifying and making known the needs and requirements for protection of information; confidentiality, integrity and availability. Department employees play a critical role for information security in complying with established procedures and providing the front line defense and prevention of potential breach and reduced risk. H. Contract Users. Any contracted vendor who interacts with State or Department information systems (computer supported or hardcopy) must support and comply with all established security protocols and requirements. I. State Customers. This Department will monitor and interact with State customers and e- Gov users who access public information and other State web and internet resources to ensure continuity with confidentiality, integrity, and availability of information on all
4 State Systems. J. Security Teams/Councils/Working Groups. The Department will participate with established security teams (Councils/Working Groups) which directly support best practice initiatives for continuous improvement and continuity of Department and State-wide missions. REPORTING STRUCTURE It is recommended that the Information Security Manager (ISM) report directly to the Director or Agency Head. This reporting structure is recommended because of the necessity of the ISM to be able to perform effectively and independently. SKILLS AND ABILITIES Successful ISMs must have a broad range of business management and technical security skills. Possessing a background in the development and subsequent enforcement of security policies and procedures, security awareness programs, business continuity and disaster recovery plans, IT, auditing, and applicable industry and governmental compliance issues is critical. They must be savvy in understanding the business needs of an agency and be fully supportive of its mission and goals. Some areas where an ISM must possess adequate skills and abilities include: Strategic - An agency ISM must understand the agency s program areas and business needs and their role within the activities of the agency. The ISM must keep abreast of evolving technologies to ensure appropriate security controls are implemented and maintained as agency processes change. Identifying security risks to the agency and being able to evaluate and recommend appropriate security measures, from a strategic perspective, will help management understand the risks and the need to reduce them to acceptable levels. Management and Communication Skills The ability to effectively communicate, both verbally and in writing, across all levels of management and the user community cannot be understated. The need to interact with critical staff (such as executive management, the Privacy Officer, the CIO, and the disaster recovery coordinator) and other agency business units (such as the legal, human resources, IT, procurement, business services, facilities management offices) to cooperatively achieve the goals is critical to the success of the information security program. The ability to write effectively, to explain information security in layperson terms, can be difficult. Executive management may not understand why a certain security component costs so much, or why it is important to the agency s goals. Possessing the ability to effectively develop issue papers, memorandums, letters, work plans, and other types of written communication can be invaluable in documenting security concerns and decisions, and in explaining important perspectives. Technical Competence ISMs are required to have a certain level of technical competence to lead their organization s security initiatives. They need a general knowledge of how technical issues affect the business of the agency. It is very difficult for a security leader to be respected by their agency, regardless of size, without having a proper grasp of the technical security issues that affect it. Further, it would be difficult to
5 garner the respect of the other technical staff within the organization without that knowledge. Being passionate about information security is critical to the success of the program. If an ISM is not fervent about it, he or she may find that is not the right career choice for them. Those ISMs that are fanatical about it should recognize that there is sometimes a fine line between passionate and obsessive. An important function of the ISM is to not always to say, NO! but to find secure ways to implement technologies while carefully weighing the risks against the business needs of the agency.
Guide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationCHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident
More informationHow To Check If Nasa Can Protect Itself From Hackers
SEPTEMBER 16, 2010 AUDIT REPORT OFFICE OF AUDITS REVIEW OF NASA S MANAGEMENT AND OVERSIGHT OF ITS INFORMATION TECHNOLOGY SECURITY PROGRAM OFFICE OF INSPECTOR GENERAL National Aeronautics and Space Administration
More informationREPORT NO. 2013-027 OCTOBER 2012 UNIVERSITY OF FLORIDA. Operational Audit
REPORT NO. 2013-027 OCTOBER 2012 UNIVERSITY OF FLORIDA Operational Audit BOARD OF TRUSTEES AND PRESIDENT Members of the Board of Trustees and President who served during the 2011-12 fiscal year are listed
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More information2014 Audit of the Board s Information Security Program
O FFICE OF I NSPECTOR GENERAL Audit Report 2014-IT-B-019 2014 Audit of the Board s Information Security Program November 14, 2014 B OARD OF G OVERNORS OF THE F EDERAL R ESERVE S YSTEM C ONSUMER FINANCIAL
More informationHIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)
HIPAA COMPLIANCE PLAN For CHARLES RETINA INSTITUTE (Practice Name) Date of Adoption 1/02/2003 Review/Update 10/25/2012 Review/Update 4/01/2014 I. COMPLIANCE PLAN A. Introduction This HIPAA Compliance Plan
More informationEthical Considerations for Lawyers Using the Cloud
Ethical Considerations for Lawyers Using the Cloud Presentation by Peter J. Guffin, Esq. Pierce Atwood LLP pguffin@pierceatwood.com (207) 791-1199 Maine State Bar Association Summer Meeting June 22, 2012
More informationClassification: Computer Information Technology Specialist II (CITS II) Information Security Unit Title Code: V08005 Pay Range: 33
Classification: Computer Information Technology Specialist II (CITS II) Information Security Unit Pay Range: 33 POSITION SUMMARY: The position provides professional and advanced technical expertise as
More informationQatar University Information Security Policies Handbook November 2013
Qatar University Information Security Policies Handbook November 2013 Information Security Policies Handbook November 2013 Produced by Information Technology Services Department / Information Security
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Improvements Are Needed to the Information Security Program March 11, 2008 Reference Number: 2008-20-076 This report has cleared the Treasury Inspector
More informationDISTRICT OF COLUMBIA RETIREMENT BOARD Position Vacancy Announcement
DISTRICT OF COLUMBIA RETIREMENT BOARD Position Vacancy Announcement ANNOUNCEMENT NO: 20130411 POSITION: Security Administrator OPENING DATE: April 11, 2013 CLOSING DATE: Open until filled TOUR OF DUTY:
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationIT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More information2.5.1 Policy on Responsible Use of University Computing Resources Introduction This policy governs the proper use and management of all University of
2.5.1 Policy on Responsible Use of University Computing Resources Introduction This policy governs the proper use and management of all University of San Diego computing and network resources. This policy
More informationInstitutional Data Governance Policy
Institutional Data Governance Policy Policy Statement Institutional Data is a strategic asset of the University. As such, it is important that it be managed according to sound data governance procedures.
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationSupporting FISMA and NIST SP 800-53 with Secure Managed File Transfer
IPSWITCH FILE TRANSFER WHITE PAPER Supporting FISMA and NIST SP 800-53 with Secure Managed File Transfer www.ipswitchft.com Adherence to United States government security standards can be complex to plan
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationUniversity Information Technology Security Program Standard
University Information Technology Security Program Standard July 2012 Version 3.0 This standard establishes requirements and general principles for initiating, implementing, maintaining, and improving
More information---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
More informationITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting
ITIL 2011 Lifecycle Roles and Responsibilities UXC Consulting Date November 2011 Company UXC Consulting Version Version 1.5 Contact info@uxcconsulting.com.au http://www.uxcconsulting.com.au This summary
More informationPHILADELPHIA POLICE DEPARTMENT DIRECTIVE 7.18
PHILADELPHIA POLICE DEPARTMENT DIRECTIVE 7.18 Issued Date: 12-23-14 Effective Date: 12-23-14 Updated Date: SUBJECT: GRANT APPLICATIONS, PROCESSING AND ADMINISTRATION PLEAC 1.6.1 1. PURPOSE A. The purpose
More informationEPA Needs to Strengthen Its Privacy Program Management Controls
OFFICE OF INSPECTOR GENERAL Audit Report Catalyst for Improving the Environment EPA Needs to Strengthen Its Privacy Program Management Controls Report No. 2007-P-00035 September 17, 2007 Report Contributors:
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationDHHS Directive Number II-12
DHHS Directive Number II-12 Title: Delegation of Authority to the Director, Division of Information Resource Management Effective Date: November 3, 2008 Revision History: January 1, 2002 Authority: G.S.
More informationCity of Moreno Valley Date Adopted: April 6, 2007 CLASS SPECIFICATION Applications and Database Administrator
City of Moreno Valley Date Adopted: April 6, 2007 CLASS SPECIFICATION Applications and Database Administrator GENERAL PURPOSE Under direction, plans, organizes, oversees and participates in the work of
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationCIOP CHAPTER 1351.40 Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS. Section 40.1. Purpose
CIOP CHAPTER 1351.40 Common Operating Environment (COE) Services Management Policy TABLE OF CONTENTS Section 40.1. Purpose... 1 Section 40.2. Background... 2 Section 40.3. Scope and Applicability... 3
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationINFORMATION ASSURANCE PROGRAM
Corporation for National & Community Service (CNCS) Office of Information Technology INFORMATION ASSURANCE PROGRAM November 2012 Table of Contents 1. Information Assurance Program... 1 1.2 What are the
More informationProtecting Official Records as Evidence in the Cloud Environment. Anne Thurston
Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after
More informationState Agency Manual of Records Management Policies
State Agency Manual of Records Management Policies Explaining the Sample Policy Manual This is a sample records management policy manual for executive branch agencies in New York State government. The
More informationCHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033
CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationVirginia Commonwealth University Information Security Standard
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
More informationProfessional Level Public Health Informatician
Professional Level Public Health Informatician Sample Position Description and Sample Career Ladder April 2014 Acknowledgements Public Health Informatics Institute (PHII) wishes to thank the Association
More informationDepartment of Administration Goals and Objectives
Department of Administration Goals and Objectives 2015 Biennium Goal 1: Advance the department's mission, vision, and values by providing excellent, timely, and cost-effective customer service. Challenge
More informationPublication 805-A Revision: Certification and Accreditation
Postal Bulletin 22358 (3-7-13) Policies, Procedures, and Forms Updates Publication 805-A Revision: Certification and Accreditation Effective immediately, the January 2013 edition of Publication 805-A,
More informationOur mission is to help our clients. maintain 401(k) compliance and avoid unnecessary risk. COLLABORATION. COMPLIANCE. CONVENIENCE.
Our mission is to help our clients maintain 401(k) compliance and avoid unnecessary risk. COLLABORATION. COMPLIANCE. CONVENIENCE. More Info: d o n a l.fo rd @ 3 1 6 f i d u ciary.com w w w. 3 1 6 f i d
More informationDepartment of Veterans Affairs VA Handbook 6500. Information Security Program
Department of Veterans Affairs VA Handbook 6500 Washington, DC 20420 Transmittal Sheet September 18, 2007 Information Security Program 1. REASON FOR ISSUE: To provide specific procedures and establish
More informationUnited States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program
The National Science Foundation Office of Polar Programs United States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program Organizational Function
More informationMontana Legislative Fiscal Division. September 15, 2000. Prepared by Greg DeWitt, Senior Fiscal Analyst Pamela Joehler, Senior Fiscal Analyst
Montana Legislative Fiscal Division Information Technology Management Study Final Report September 15, 2000 Prepared by Greg DeWitt, Senior Fiscal Analyst Pamela Joehler, Senior Fiscal Analyst Information
More informationCOMPLIANCE BENEFITS OF SAP ARCHIVING
O P E R AT I O NA L A N D COMPLIANCE BENEFITS OF SAP ARCHIVING A article sponsored by EMC Author: Jarad Carleton, Senior Consultant ICT Practice Partnering with clients to create innovative growth strategies
More informationInformation Resource Management Directive 5000.09 USAP Information Security Awareness, Training and Education Program
The National Science Foundation Polar Programs United States Antarctic Program Information Resource Management Directive 5000.09 USAP Information Security Awareness, Training and Education Program Organizational
More informationDepartment of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 5400.11 October 29, 2014 DCMO SUBJECT: DoD Privacy Program References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues DoD Directive (DoDD) 5400.11 (Reference
More informationAUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by
More informationIntegrated Governance, Risk and Compliance (igrc) Approach
U.S. Department of Homeland Security (DHS) United States Secret Service (USSS) Integrated Governance, Risk and Compliance (igrc) Approach Concept Paper* *connectedthinking Provided to: Provided by: Mrs.
More informationPlan Development Getting from Principles to Paper
Plan Development Getting from Principles to Paper March 22, 2015 Table of Contents / Agenda Goals of the workshop Overview of relevant standards Industry standards Government regulations Company standards
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...
More informationCITY OF HOUSTON. Executive Order. Information Technology (IT) Governance
CITY OF HOUSTON Executive Order E.O. No: 1-44 Effective Date: December 20, 2012 1. AUTHORITY 1.1 Article VI, Section 7a, of the City Charter of the City of Houston. 2. PURPOSE 2.1 The City of Houston seeks
More informationSeptember 2005 Report No. 06-009
An Audit Report on The Health and Human Services Commission s Consolidation of Administrative Support Functions Report No. 06-009 John Keel, CPA State Auditor An Audit Report on The Health and Human Services
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More information10. Bureau of Information Technology
10. Bureau of Information Technology Act 6634 (a) There is established within the Office of the Governor, a Bureau of Information Technology (BIT). The Bureau shall be administered by a Director, who shall
More informationUNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY
PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment
More informationGuideline for Roles & Responsibilities in Information Asset Management
ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009
More informationEvaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12
Evaluation Report Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review April 30, 2014 Report Number 14-12 U.S. Small Business Administration Office of Inspector General
More informationSENIOR INFORMATION SYSTEMS MANAGER
CITY OF PORTLAND Multiple SENIOR INFORMATION SYSTEMS MANAGER FLSA Status: Union Representation: Exempt Nonrepresented DEFINITION To plan, manage, supervise and coordinate information systems activities
More informationFAIR Act Inventory Functions and Service Contract Inventory Product Service Codes Crosswalk Attachment I
Product Service Code (PSC) Recommended PSC Definition FAIR Function Codes and Definitions 1 B510 Study/Environmental Assessments - Organized, analytical assessments/evaluations in support of policy development,
More informationState of Montana Montana Board of Crime Control. Agency IT Plan Fiscal Year 2012-2017
State of Montana Montana Board of Crime Control Agency IT Plan Fiscal Year 2012-2017 Prepared July 2012 Brooke Marshall, Executive Director Jerry Kozak, IT Manager Board of Crime Control 5 S Last Chance
More informationA Management Perspective
May 1998 The Chief Information Officer A Management Perspective Contents Purpose... 1 Background... 1 Legislative Action... 2 Guiding Principles... 2 Agency Responsibilities 3 CIO Appointment... 3 CIO
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationCopyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience
Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie
More informationBPA Policy 434-1 Cyber Security Program
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy
More informationTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION
TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION Disaster Recovery Testing Is Being Adequately Performed, but Problem Reporting and Tracking Can Be Improved May 3, 2012 Reference Number: 2012-20-041 This
More informationInformation Technology Division
Information Technology Division Findings on Reportable Conditions Finding Number 15: Access to Production and Utility Libraries Should Be More Restricted Although ITD has made a significant effort to restrict
More informationV E H I C L E / E Q U I P M E N T R E P AI R T E C H N I C I AN S U P E R V I S O R Schematic Code 17318 (30005065)
V E H I C L E / E Q U I P M E N T R E P AI R T E C H N I C I AN S U P E R V I S O R Schematic Code 17318 (30005065) I. DESCRIPTION OF WORK Positions in this banded class supervise of a group of mechanics,
More informationInformation Management Responsibilities and Accountability GUIDANCE September 2013 Version 1
Information Management Responsibilities and Accountability GUIDANCE September 2013 Version 1 Document Control Document history Date Version No. Description Author September 2013 1.0 Final Department of
More informationTechnical Competency Framework for Information Management (IM)
Technical Competency Framework for Information Management (IM) Office of the Chief Information Officer (OCIO) June 15, 2009 Table of contents IM Competency Framework...1 Competency 1: Information Management
More informationAchieving Security through Compliance
Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3
More informationInformation Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.
Information Governance Strategy and Policy Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.0 Status: Final Revision and Signoff Sheet Change Record Date Author Version Comments
More informationGuideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP 800-60 AP-2/03-1
Guideline for Mapping Types of Information and Information Systems to Security Categorization Levels SP 800-60 FISMA Legislation Overview (Public Law 107-347) Framework for ensuring effectiveness of Federal
More informationContingency Plan 32 Success Secrets. Copyright by Philip Downs
Contingency Plan 32 Success Secrets Copyright by Philip Downs Notice of rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical,
More informationPART 10 COMPUTER SYSTEMS
PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationSecurity Control Standard
Department of the Interior Security Control Standard Program Management April 2011 Version: 1.1 Signature Approval Page Designated Official Bernard J. Mazer, Department of the Interior, Chief Information
More informationInformation Technology Engineers Examination. Network Specialist Examination. (Level 4) Syllabus. Details of Knowledge and Skills Required for
Information Technology Engineers Examination Network Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination Version 2.0
More informationExecutive Management of Information Security
WHITE PAPER Executive Management of Information Security _experience the commitment Entire contents 2004, 2010 by CGI Group Inc. All rights reserved. Reproduction of this publication in any form without
More informationFor additional information on T.I.P.S. please call us at 818-787-3946 or email tips@nagyprotectionservices.com
TOTALLY INTEGRATED PROTECTION SERVICES (T.I.P.S) 1 T.I.P.S (Totally Integrated Protection Services) Security Risk Analysis Survey Reports Contract security officer services Special event security services
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationGuide for the Security Certification and Accreditation of Federal Information Systems
NIST Special Publication 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems Ron Ross Marianne Swanson Gary Stoneburner Stu Katzke Arnold Johnson I N F O R M A
More informationAUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1
AUDITING A BCP PLAN Thomas Bronack Auditing a BCP Plan presentation Page: 1 What are the Objectives of a Good BCP Plan Protect employees Restore critical business processes or functions to minimize the
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationLegislative Audit Division State of Montana. Criminal Justice Information Network (CJIN)
Legislative Audit Division State of Montana November 2004 Report to the Legislature Information System Audit Criminal Justice Information Network (CJIN) Department of Justice This report contains the results
More information4-06-55 Controlling Data Resources in Distributed Environments Barbara Grant
4-06-55 Controlling Data Resources in Distributed Environments Barbara Grant Payoff As the role of data in an organization expands and data becomes increasingly related to profitability, the impact of
More informationProject Review Board Governance Guide
King County Office of INFORMATION RESOURCE MANAGEMENT Project Review Board Governance Guide Developed by Version 2.1 October 2008 Table of Contents Table of Contents... i Table of Figures... i Governance
More informationCLASSIFICATION SPECIFICATION FORM
www.mpi.mb.ca CLASSIFICATION SPECIFICATION FORM Human Resources CLASSIFICATION TITLE: POSITION TITLE: (If different from above) DEPARTMENT: DIVISION: LOCATION: Executive Director Executive Director, Information
More informationElectronic Records Management
Electronic Records Management HOW TRANSIT AGENCIES CAN LEVERAGE THEIR USE What is Electronic Records Management Electronic Records Management (ERM) utilizes technology to enable the indexing, imaging,
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationJuly 2013 Report No. 13-042
John Keel, CPA State Auditor An Audit Report on Selected State Contracts at the Texas Education Agency Report No. 13-042 An Audit Report on Selected State Contracts at the Texas Education Agency Overall
More information